10 Concerns When Buying Cyber InsuranceBreaches Propel Organizations to Mull Insurance Protection
Interest in cyber insurance rises with every report of a high-profile computer breach.
Last year, 42 percent of one major broker's clients had cyber insurance, up from 15 percent in 2008.
It's not only high-profile breaches that have peaked interest in cyber insurance, but regulatory pressures, says John Wheeler, a research director at IT adviser Gartner. In the U.S., the Securities and Exchange Commission requires publicly traded companies to disclose their cyber risks as well as any cyber insurance coverage they have. Also, insurance brokers and providers have upped their marketing efforts, says Wheeler, who weighed the pros and cons of cyber insurance at the recent Gartner Security Summit in National Harbor, Md.
Among the advantages of cyber insurance: Protecting against a major cyber risk, but one that can be specified. Some enterprises in industries such as financial services use cyber insurance to meet regulatory requirements. Cyber insurance could be beneficial to protect against easily valued losses such as regulatory fines and breach notification.
But, Wheeler cautions, organizations must measure those benefits against some of cyber insurance's drawbacks. Cyber insurance isn't a stopgap measure to compensate for weaknesses in an IT security program. Blank coverage for a broad array of low-limit loss events doesn't make sense. And, he says, don't buy insurance because of fear spawned by highly publicized cyberattacks.
Unlike other types of liability insurance, there hasn't been enough history in claims and payouts for underwriters to know what to charge, several experts in the field say. At a Seton Hall University symposium on cyber insurance earlier this month, one presenter - from an insurer - said a dearth of experienced cyber insurance underwriters exists. The lack of history and underwriters, several experts say, makes it hard for insurers to know exactly how much they should charge for coverage.
"Cyber insurance remains a gamble to insurance companies," says Paul Proctor, a Gartner vice president and distinguished analyst, comparing the risk insurers face to that of Lloyds of London, the famous British reinsurer, insuring the legs of a celebrity dancer. If insurers bet wrong on cyber insurance, they may not have the financial wherewithal to pay claims.
Gartner estimates cyber insurance premiums range from $10,000 to $35,000 for $1 million in coverage.
What kind of coverage do the two dozen or so carriers offer? Various flavors of policies cover network intrusion; breach notification; loss of income and business interruption; regulatory civil action; and cyber extortion and terrorism.
At the security summit, Proctor outlined 10 considerations organizations should address when buying cyber insurance:
- Buying into the sales pitch: Most articles written about cyber insurance are favorable. They should be taken with a grain of salt because most were sponsored by "somebody in the supply chain for cyber insurance," Proctor says.
- Broker experience: "There's already enough risk in this field," Proctor says. "Make sure you have someone on your team who has experience with actually working with clients who filed claims, not somebody reading the back of the policy to see what's in it."
- Policy complexity: Lots of exclusions exist in cyber insurance. Develop scenarios of cyber losses to determine if an insurer will pay claims.
- Policy qualifications: Claim processers often don't understand cybersecurity, such as advanced firewalls with malware protection. Are you covered if those protections were turned off? Ignorance here isn't bliss because that could lead to a denial of claims for items the insured might believe are covered.
- Pre-insurance survey: Be careful and specific in filling out the forms that define the coverage you seek. Insurers could deny a claim if the insured says in the pre-insurance survey it employs an 8-character, alphanumeric password when a breached account password was "chocolate."
- Filing claims: Cyber insurance is a fairly nascent industry, with little known historically on how insurers pay claims. Indeed, insurers are just getting their sea legs, and providing cyber coverage remains a big risk for many of them. "If it's a gamble for them, it's a gamble for you," Proctor says.
- Selecting coverage: There are many different types of coverage organizations can buy. "Think this through with your insurance team to make sure you get appropriate coverage, and which ones pay," he says.
- Understanding exclusions: If an employee loads a program with malware on a computer, is that covered?
- The cloud: Don't expect much protection for data in the cloud. Insurers cannot afford to payoff the risk for data stored in the cloud; it's not a sustainable business for them.
- Payment of claims: Gartner says it has inconsistent information on whether insurers pay claims. Besides the contention by the insurance industry that it does pay claims, Gartner says it can't find independent evidence to confirm that. If you have significant cyber insurance and experience a loss, Proctor says, you still may have a fight on your hands.
Cyber insurance is hot; more and more insurers see the potential of profits by offering cyber insurance. It's risky for the insurers, and it's risky for the insured, too. Remember that when reviewing your cyber insurance options.